Jakub Wilk reported a heap-based buffer overflow vulnerability in procmail's formail utility when processing specially-crafted email headers. A remote attacker could use this flaw to cause formail to crash, resulting in a denial of service or data loss. Reproducible: Always Patch attached to the associated Debian bug [DSA 4041-1] works: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876511 https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=876511;filename=formisc.c.patch.txt;msg=10 Please take care of this on top of https://bugs.gentoo.org/522114. At least it is just a recent discovery, not 3 years old.
@Maintainers please call for stabilization when ready. Thank you
*** Bug 638112 has been marked as a duplicate of this bug. ***
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=31e0e8db9e641bbe158add9c6d4907f2c3eb2d57 commit 31e0e8db9e641bbe158add9c6d4907f2c3eb2d57 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-03-24 00:22:31 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-03-24 00:26:04 +0000 mail-filter/procmail: revbump to fix longstanding vulnerabilities This patch is a combination of patches from the OSS ML and the Debian bug tracker. Both patches and authors can be found in the below referenced bugs. Bug: https://bugs.gentoo.org/522114 Bug: https://bugs.gentoo.org/638108 Signed-off-by: Aaron Bauman <bman@gentoo.org> .../files/procmail-CVE-2014-3618-16844.patch | 25 +++++ mail-filter/procmail/procmail-3.22-r12.ebuild | 123 +++++++++++++++++++++ 2 files changed, 148 insertions(+)
@arches, please stabilize
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2d543e5e060df0597801b48334e0c4d880d1f25 commit c2d543e5e060df0597801b48334e0c4d880d1f25 Author: Richard Freeman <rich0@gentoo.org> AuthorDate: 2019-03-24 12:02:27 +0000 Commit: Richard Freeman <rich0@gentoo.org> CommitDate: 2019-03-24 12:02:27 +0000 mail-filter/procmail: amd64 stable Bug: https://bugs.gentoo.org/638108 Signed-off-by: Richard Freeman <rich0@gentoo.org> Package-Manager: Portage-2.3.62, Repoman-2.3.11 mail-filter/procmail/procmail-3.22-r12.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
ia64 stable
ppc stable
ppc64 stable
s390 stable
hppa stable
Just an FYI. I'm on amd64, mail-filter/procmail-3.22-r12 hangs on incoming mail with 1 cpu at 100%. Went back to mail-filter/procmail-3.22-r10 and all is good again. (In reply to Larry the Git Cow from comment #5) > > mail-filter/procmail: amd64 stable >
stopping stabilization. This is the second report of procmail hanging (our own infra as well)
sparc done
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=038c9f3140b69054f3de9cb4f1a6ccf292510952 commit 038c9f3140b69054f3de9cb4f1a6ccf292510952 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-03-28 00:44:20 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-03-28 00:44:20 +0000 mail-filter/procmail: re-add security fix with crash fix Bug: https://bugs.gentoo.org/638108 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> .../procmail/files/procmail-3.22-crash-fix.patch | 58 ++++++++++ mail-filter/procmail/procmail-3.22-r13.ebuild | 125 +++++++++++++++++++++ 2 files changed, 183 insertions(+)
amd64 stable
I just had formail hang with -r13 - same as happened with -r12
Has anyone considered that this part of procmail-CVE-2014-3618-16844.patch : - do + while(*start); ...might not exactly be having the desired effect? The lack of braces makes this code fragile and hard to maintain, but here's a way to visualize what this patch is doing: - do { ... } while (condition); + while (condition) + ; <------ that is, infinite loop + { ...will never get here... } The simple fix is to remove the semicolon. A better fix would add slight reformatting to make that code readable and maintainable. Addressing the lack of error checking in realloc() in the second part of the patch is beyond the scope of this comment.
Indeed, upon closer examination the debian patch does not have the ;. This was what I've been running without issue for the last 1.5 years against the previous ebuild.
(In reply to Richard Freeman from comment #18) > Indeed, upon closer examination the debian patch does not have the ;. This > was what I've been running without issue for the last 1.5 years against the > previous ebuild. I'm also using a version without the semicolon.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ff36e4f6862f3949e3bfedd7bb352cd9d0602ffe commit ff36e4f6862f3949e3bfedd7bb352cd9d0602ffe Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-03-30 17:02:56 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-03-30 17:02:56 +0000 mail-filter/procmail: replace patch for CVE-2014-3618 Fixes an infinite loop. Bug: https://bugs.gentoo.org/638108 Package-Manager: Portage-2.3.62, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> .../files/procmail-3.22-CVE-2014-3618.patch | 18 ++++++++++++++++ .../files/procmail-3.22-CVE-2017-16844.patch | 13 +++++++++++ .../files/procmail-CVE-2014-3618-16844.patch | 25 ---------------------- ...il-3.22-r13.ebuild => procmail-3.22-r14.ebuild} | 3 ++- 4 files changed, 33 insertions(+), 26 deletions(-)
x86 stable
arm stable
alpha stable
sparc stable
sh stable